One more new year's resolution...un-sensational cyber security
As we prepped yesterday for tomorrow's Intelligent Utility Reality Webcast on cyber security, one panelist asked me a great question: is the goal of the webcast sensational or educational? Apparently, he had been to a few too many with the sensational goal, and he really preferred a webcast that would provide the latter. I think he found the right webcast, but his question left me thinking: cyber security is such a sensitive topic, how can one be educational without being even a smidge sensational? Cracking codes, finding security flaws, and infiltrating secure areas are the stuff movies are made of. (Remember Hackers and War Games? Smart grid cyber security could have serious movie potential. It could even be called Attack of the Grid. Sorry, I digress.)
It is certainly difficult to find that balance, but I think it makes for a good new year's resolution -- not just for me, but for the industry -- to look at what un-sensational educational aspects we can bring forth on cyber security. Now, I am not talking about sharing all of our deepest cyber security secrets, but talking about the high-level technological, public policy and even people aspects of working on cyber security for a smarter grid. Cyber security is one of those topics that will continue to haunt the industry, so we can't ignore it. We look forward to bringing you more educational and un-sensational (but still interesting) cyber security stories in 2010. Here's one from our latest issue of Intelligent Utility magazine. I would love to hear what you think of it.
The defense: Oncor keeps raising the bar on security
Oncor is building intelligence across its network -- from synchrophasors on its transmission networks to advanced metering on homes and businesses. Mark Carpenter, Oncor's vice president and CIO, noted that the utility's smart grid "is not any one thing, but is essentially spreading intelligent devices throughout the utility system, building a communications network to support these devices, bringing the data back and converting it into useful information."
A smarter grid will bring Oncor numerous benefits, but it will also create security challenges. "Unfortunately, we have some very smart, innovative, creative people who want to cause mayhem," said Jim Greer, Oncor's senior vice president of asset management and engineering. During a recent interview with Intelligent Utility magazine, Carpenter and Greer discussed how Oncor secures its increasingly intelligent grid.
Building on past experience
"We recognize that Oncor is starting out with a very secure platform," Greer said. "We're wrapping the new advanced metering system with the same protective layers used to secure our transmission grid management system. At the same time, we're adding additional layers of security, control mechanisms and risk mitigation to address newly exposed security risks. The advanced metering system is not just another business management or business information system. It's really in a different category. The system requires data network security, firewalls and penetration testing.
"But security -- whether it's in utilities, banking or another industry -- is never going to be good enough. Therefore, it's essential to always be on guard. Oncor is constantly monitoring, testing and moving to the next level. Our vendors are clearly prepared. We're participating in standards development and helping shape that outcome. We understand and recognize that it's never going to be good enough and we keep moving the bar up."
Balancing physical and cyber security
With respect to key components of a smarter grid, Carpenter addressed physical security and cyber security for communications networks, meters and home energy devices. First, he explained some protective measures for communications infrastructure. One example of physical security is leveraging the existing security of substations. Oncor places some of its communications infrastructure in substations, "partly because of the additional security that we get. Although we have functional security, we don't want a bad guy to be able to get into a communications box. We'll be able to tell if he gets into a box, but he is first going to have to go over a fence."
So what about the physical security on the meters? "We continue to work on physical security. In areas where meter theft or moving meters around is common, Oncor installs brackets that make it a lot more difficult to steal meters. Potential thieves have to break locked physical barriers.
"In the future, software will let us know about theft. When somebody steals an advanced meter and puts it somewhere else, we will know it."
Carpenter also talked about a recent PowerPoint slide deck. "Recently, I reformatted a presentation. The reason I did was for security because it had some information that I wouldn't want to get into the wrong hands. We're very conscious about cyber security, physical security and information security. Therefore, in a presentation, I may show something, such as a map, but I may have to adjust the map so people don't get too much information."
At the end of the day, "We've got to have better defense than they have offense," said Carpenter. "We will never make something totally impenetrable. Security is something we continue to make great strides in improving because the bad guys have made great strides in what they do. We're always going to have to stay a step ahead."
We look forward to discussing this and other issues with all the players in the emerging intelligent utility. If you have thoughts you'd like to share, please contact me by e-mail at firstname.lastname@example.org or by telephone at 303-228-4762.